This is a work in progress. While we strive for accuracy, some breach details may be incomplete or pending verification.

Bunnings

Summary

Bunnings, Australia's largest hardware retail chain, experienced a data exposure incident in February 2019 when an individual staff member inadvertently made a staff performance database publicly accessible. The breach exposed internal employee performance metrics and work-related information. While classified as Minor due to the limited scope and internal nature of the data, the incident highlighted the risks of human error in data handling even at large, well-resourced organisations.

What Happened

Misconfiguration. A Bunnings employee accidentally configured a staff performance database in a way that made it accessible outside the company's internal network. The database contained employee names, work performance metrics, store locations, and potentially manager assessments. The exposure occurred because the staff member, described as doing "unwanted homework," made an error while working with the database that left it accessible to unauthorised parties. Bunnings discovered the exposure and immediately secured the database.

Impact on Individuals

  • Performance Data Exposed: Internal staff performance ratings and assessments made visible
  • Workplace Implications: Performance information could affect staff relationships and future opportunities
  • Manager Feedback: Potentially sensitive manager comments or assessments exposed
  • Limited Personal Data: Primarily work-related information rather than sensitive personal details
  • Internal Concern: Staff worried about how performance data might be used or shared

While the breach involved employment rather than highly sensitive personal data, it nonetheless created privacy concerns for affected Bunnings team members.

Response

Bunnings immediately secured the exposed database once the error was discovered. The company investigated how the misconfiguration occurred and implemented additional safeguards to prevent similar accidental exposures. Bunnings notified affected staff members about the incident and reviewed its data handling procedures and employee training around database access and configuration. The incident was reported to appropriate authorities as required. The breach served as a reminder that even well-intentioned employees can inadvertently create security exposures through configuration errors or misunderstanding of system settings. +++

Verification Source: View original statement